CVE-2024-42356: Shopware Context Variable Injection Vulnerability in Twig Templates
Shopware is a popular open commerce platform that provides businesses and developers with a robust and feature-rich environment to create customized e-commerce solutions. However, prior to versions 6.6.5.1 and 6.5.8.13, the platform was susceptible to a vulnerability involving the context variable that is injected into almost all Twig Templates. This variable not only exposed sensitive data like language and currency information but also enabled attackers to call any statically callable PHP function or method from Twig.
Affected Versions
Shopware versions prior to 6.6.5.1 and 6.5.8.13. The vulnerability also impacts older versions 6.1, 6.2, 6.3, and 6.4 but can be mitigated using a security plugin.
Exploit Details
The vulnerability exists because the context variable is injected into almost any Twig Template, giving access to current language and currency information. Furthermore, the context object allows switching the scope for a short time using a helper with a callable function. Since the second parameter of the function accepts any callable, it becomes possible to call any statically callable PHP function or method from Twig.
Please note that an attacker needs administrative access to exploit this vulnerability using Mail templates or App Scripts, as regular customers cannot provide any Twig code.
Here's a sample illustrating the vulnerability
{# In a Twig Template #}
{% set contextSwitcher = context.createLanguageSwitcher %}
{% set result = contextSwitcher.call('Some\Class::staticMethod', arg1, arg2) %}
In this example, the context variable is used to create a language switcher and then call a static method from a given class.
Original References
1. Shopware Security Update
2. Shopware Context Variable Vulnerability
Mitigation
To address this vulnerability, it is recommended that affected users update to Shopware 6.6.5.1 or 6.5.8.13 for the appropriate patch. For older versions (6.1, 6.2, 6.3, and 6.4), users can install a dedicated security plugin that provides corresponding security measures.
Conclusion
Shopware is a powerful platform for e-commerce solutions, but this vulnerability demonstrates the importance of updating to the latest version and ensuring proper security measures are in place. By updating to Shopware 6.6.5.1 or 6.5.8.13, or installing the security plugin for older versions, users can protect their systems from potential exploitation by attackers with administrative access.
Timeline
Published on: 08/08/2024 15:15:18 UTC
Last modified on: 08/12/2024 15:34:08 UTC